💾 Archived View for tsqrl.xyz › gemlog › 2022-03-24_sshlockout-on-openbsd.gmi captured on 2023-01-29 at 02:39:25. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-04-28)

-=-=-=-=-=-=-

Configuring sshlockout on OpenBSD

You best protect ya neck

sshlockout is similar to fail2ban: you can use it to block IP addresses attempting to brute-force ssh.

With sshlockout, we collect repeated failed auth attempts from syslogd and tell the pf firewall to block those IPs.

Note: All commands run as root.

1. Install sshlockout

pkg_add sshlockout

2. Add to /etc/pf.conf

Create an in-memory table named "lockout" and block ssh attempts from IPs in that table.

table <lockout> persist { }
block in log quick on egress proto tcp from <lockout> to port ssh

Reload pf.conf

pfctl -f /etc/pf.conf

3. Add to /etc/syslog.conf

Log auth attempts to the sshlockout command, which will write the IPs of repeat-offenders to the pf table.

auth.info;authpriv.info | exec /usr/bin/doas -n /usr/local/sbin/sshlockout -pf lockout

Restart syslogd

kill -HUP $(cat /var/run/syslog.pid)

4. Add to /etc/doas.conf

Allow the syslog user to run sshlockout as root.

permit nopass _syslogd as root cmd /usr/local/sbin/sshlockout

5. Add to root's crontab

Clear the lockout table once a day.

3 3 * * * pfctl -t lockout -T expire 86400

6. Confirm

To check if it's working, you'll see that sshlockout is mentioned in the auth log.

tail -f /var/log/auth.og

And, you can see the IPs in the lockout table:

pfctl -t lockout -T show

To get a count of IPs:

pfctl -t lockout -T show | wc -l

If you want to see the pflog in real time:

pflog -n -e -ttt -i pflog0

7. Bonus

To disallow password login, edit /etc/ssh/sshd_config:

PasswordAuthentication no

Restart sshd

rcctl restart sshd

Note: this change will likely make it so that sshlockout is unnecessary in the first place, making this less "fun"

Credits

Solene's thread reply on marc.info

sshlockout readme with additional info about doas